I'd like to get your advice about following:
I'm making MVC framework on PHP. And I need to protect from brute force attacker. So for security I have some like "authentication required" box who need the user enter some key, for can continue to use the web app.
If is send 2-3 times with the same IP address then the IP is blocked, for around 30 minutes. This is OK but I read is possible the hacker change the IP for every 2-3 experience.
Now I think to put the captcha on the form, for better security but then I read the captcha is bad idea.
So now I really don't know what I can do for protect the web app from brute force attack.
So my question is how can MOST protect from brute force attack? Is captcha good idea to put it in authentication form or bad idea?
A good practice is to have CSRF protection to your forms. Most populars frameworks have this functionality built in to their form classes. It all ends up with a hidden input in your form which value is refreshed on every page load and is checked on form submit by the backend service.
Example CSRF token generated by PhalconPHP framework:
<input type="hidden" name="OlHsF0T091MhuDR" value="d7xvFcHKUh8FjWU">
More info about CSRF protection here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Also I'm pretty sure you will find plenty of guides online on how to implement your own solution in your custom framework.
And now about Captchas.
Captchas are always a good idea on registration or contact forms. However on login forms using Captcha would be frustrating for most of your users. A good practice which I've seen used by bank or payment websites is that they show Captcha on login after few failed attempts. Example of Skrill's using this practice: https://account.skrill.com/login?locale=en
I would recommend on using Google's Recaptcha service because it is really easy for your real users and most of all it provides Accessibility to users with disabilities. Also Google provides nice statistics and handles bots quite well.